The FTC's Fake Reviews Rule (2024) and Endorsement Guides both prohibit fabricated, purchased, or undisclosed-incentive reviews. A testimonial section with no verifiable attribution, an admin panel that creates testimonial records without user submissions, or a review invitation offering a gift card without disclosing that incentive on the review platform each constitute distinct FTC violations. Beyond enforcement risk, the FTC Fake Reviews Rule allows the agency to seek civil penalties — up to $50,120 per violation — making this category one of the highest per-instance liability items in consumer protection compliance.
Critical because fabricated reviews are a named violation under the FTC's 2024 Fake Reviews Rule with per-violation civil penalty exposure, and they corrupt the information environment that consumers rely on to make purchasing decisions.
Establish an auditable review collection process and verify existing testimonials have real user records behind them.
Review authenticity checklist:
1. Collection
- Store testimonials with: user_id, submission_date, source
(in-app prompt, email survey, external platform)
- Never create testimonials from an admin panel without a
corresponding user submission record
2. Attribution
- Show: first name, last name or initial, role, company —
enough for a reader to verify it plausibly exists
3. Incentivized reviews
- Disclose the incentive in the review invitation
- Use the platform's built-in incentive disclosure mechanism
(G2, Capterra, Trustpilot all provide one)
- Never offer incentives contingent on positive reviews
4. Audit existing records
SELECT * FROM testimonials
WHERE user_id IS NULL OR source IS NULL;
-- Review every row for legitimacy before next deploy
Any review generation service found in dependencies should be removed immediately — the FTC Fake Reviews Rule prohibits services that generate reviews regardless of how they are labeled.
ID: ftc-consumer-protection.endorsement-disclosure.no-fabricated-reviews
Severity: critical
What to look for: Count all relevant instances and enumerate each. This check has two components. First, look for signs of fabricated or purchased reviews: (1) static testimonial arrays where all quotes follow an identical template, have suspiciously high-quality marketing language, or lack any verifiable attribution (full name, role, company); (2) external review profiles (G2, Capterra, Trustpilot, Product Hunt) with a pattern of reviews submitted within a short window with similar phrasing; (3) review generation services in dependencies or scripts (some paid review services are explicitly prohibited); (4) any admin interface for manually creating or editing review content without a real user submission trail. Second, look for incentivized reviews presented as organic: review flows that offer a discount, upgrade, or entry into a drawing in exchange for a review, without disclosing that incentive on the review platform where the review appears.
Pass criteria: All testimonials and reviews are from real, identifiable users. At least 1 implementation must be verified. Any incentivized review (where the reviewer received compensation, discounts, or other benefits) is disclosed on the platform where it appears, or the review is labeled as incentivized. No services or scripts for generating fake reviews are present.
Fail criteria: Testimonials appear to be fabricated (no verifiable attribution, suspiciously polished language, all submitted in a short window). Reviews were solicited with undisclosed incentives. An admin interface allows creating or editing customer reviews without an actual user submission. A paid review generation service is integrated.
Skip (N/A) when: The application displays no customer reviews, testimonials, ratings, or user-generated endorsements.
Detail on fail: Example: "Homepage testimonials all use identical sentence structure ('Since using [Product], I have...'). None have verifiable attribution beyond a first name and generic role. No submission trail found." or "Review invitation email offers a $20 gift card for leaving a review on G2, but G2 review does not disclose the incentive." or "Admin panel allows creating new testimonial records directly — no link to a user-submitted review."
Remediation: Establish a verifiable review collection process:
Review authenticity checklist:
1. Collect reviews through auditable channels:
- In-app review prompts that link to external platforms (G2, Trustpilot)
- Email campaigns to real user segments (ensure the recipient list
is sourced from actual user records, not purchased lists)
- Ensure each review on your site is linked to a real user account
or an external verified profile
2. If you display testimonials on your own site:
- Store them in your DB with: submitter user_id, submission date,
submission source (email survey, in-app prompt, etc.)
- Do not allow creating testimonials from an admin panel without
a corresponding user submission record
- Attribution should include: first name, last name (or initial),
role, company — enough for a reader to verify it plausibly exists
3. If you offer incentives for reviews:
- Disclose the incentive in the review invitation
- On platforms like G2 or Capterra, use their built-in incentive
disclosure mechanism (most platforms have one)
- Never offer incentives contingent on positive reviews — only
for leaving any honest review
4. Audit existing testimonials:
SELECT * FROM testimonials
WHERE user_id IS NULL OR source IS NULL;
-- Any with no user_id or source should be reviewed for legitimacy